IT security: What you need to know to keep your business safe

As hackers get more daring and individuals get more tech savvy, the last line of defence for businesses is often a diligent IT manager

Few will have forgotten the recent furore over the Heartbleed security bug. Parenting website Mumsnet, which has 1.5 million users was just one of the organisations exposed by its vulnerability to the open-source code used by thousands of websites. Although a patch was quickly installed to fix the breach, for many businesses the incident raised one crucial question: Exactly how many of these security weak spots exist that we don’t know about?

While moving towards a paperless office and hosting all business critical processes in the cloud may seem like a cost effective and, perhaps, inevitable next step, IT managers need to take a step back and assess how to prepare themselves – and their systems – for the changes.

For many experts, the next big thing is actually the old big thing: security.

System security

While transforming the way we work for the better in many cases, innovative technology can present an increased risk to data security for businesses.

“One of the biggest things to impact the industry over the last few years has been the multi-core revolution,” says Don Sannella, professor of Computer Science at Edinburgh University and CEO of Contemplate, a start-up company selling technology that seeks out bugs in complex software applications.

“Instead of getting faster, chips are now being manufactured with more computing power – so there are more things happening at once. This often makes programme execution less stable, as it’s harder to test with so many variations on the combinations of things happening at any one time.

“It sounds overly simplistic, but really the way to deal with this is to take care building systems using best practice. When you build to deadlines that are too tight – which is so often the case – it’s hard to get it right.”

Protecting against hackers

Even after a secure build, IT managers should engage rigorous testing methods to reduce penetrability of system.

“Whichever method you find to protect your data, you can bet that a hacker will try to find a way around it, so it’s about pre-empting those attacks and taking preventative measures,” says Tony McDowell, owner of IT security firm Encription Ltd, whose ‘ethical hackers’ specialise in doing just that – the difference being that they do it with a company’s permission to expose areas of weakness in systems in advance of any possible attack.

“Identifying attacks is one thing, but finding an antidote is something else entirely. The gap between discovery of an attack or virus and the cure is called ‘zero day vulnerability’. During this time, systems are exposed and you are at risk,” says McDowell.

“Many IT managers don’t keep anti-virus software up to date. As thoroughly as they test patches, the makers can’t always address all the problems. So often what you’ll find is that IT managers avoid installing patches right away until they’ve seen that they’re stable enough. But the longer you delay, the more exposed you are”.

According to the latest ONS figures, there are 4.2 million UK home workers, amounting to 13.9% of the workforce. The figures include those who work at home, and those who use their home as a base but also work in different places. For those companies with employees working remotely, there are a new set of risks to consider.

“The biggest concern is data leakage. If employees are accessing their systems remotely, do you know where your data is going? It’s essential that IT managers know where employees are saving and storing those items,” says Marcus Robinson, founder at Octari, an IT solutions firm that specialises in working with SMEs.

“IT managers do need to carry out a risk assessment for home workers. The data might be encrypted and secure when it leaves you, but if they’re accessing your systems via VPN from home or on the road, you need to consider that a risk. Think about what equipment they have – USBs, laptops, mobile devices – wherever they are accessing your systems, you need to ensure best practice is being used,” advises McDowell.

People power

While systems can be programmed and functions automated, the same can’t be said for the people in your organisation. One of the biggest single threats to IT security is the employees themselves, if they’re not trained and equipped properly.

“The lack of training time is a big issue for IT managers,” says McDowell. “IT security and systems protocol should be an integral part of every staff induction and ongoing training needs to be provided to ensure everyone is up to date. Unfortunately, this doesn’t always happen, and that’s where human errors and breaches can occur”.

The new era of social and online technologies makes it easier than ever before for non-IT staff to access products and services – and this should be a concern for IT managers. “IT managers often overlook the degree to which non-IT personnel will often engage emerging technologies independent of IT,” says Terry Parsons, Chief Technology Officer at online business search engine 192.com.

“This is an ongoing pattern historically, starting with mainframe IT departments underestimating the degree to which individuals and non-technical departments began employing PCs, up to today where non-technical staff are increasingly able to exploit the availability of self-service online products and services that do not require technical expertise to implement or use.

“Whether this constitutes democratisation of technology or creeping anarchy is typically subject to your perspective, but the fact is that the technology available to individuals is increasing rapidly as the cost and complexity of accessing it is dropping fast,” says Parsons.

Supply chain

So, your systems are secured, your staff are trained and you have watertight anti-virus measures in place. You’ve got nothing to worry about, right? Well, not quite. Have you considered your suppliers?

“You may be a big business with extremely secure IT systems and processes, but what about your suppliers who also have access? For hackers, SMEs like that are often the ‘low hanging fruit’ – they can attack them and find a back door into your company. It’s absolutely essential that you interrogate your supplier’s security as well as your own,” advises McDowell.

This can be done by means of a ‘penetration test’ – where experts will actively seek to hack your systems to see where the weaknesses are.

“This is a common practice among suppliers to any government departments – it’s called a ‘code of connection’ test. It’s a way of ensuring that there’s no weak link in the chain where valuable data might be exposed to hackers,” says McDowell.

Ultimately, all the experts agree that creating and maintaining a productive system requires homework on the IT manager’s part.

“IT managers should ensure they go through a due diligence process and a thorough risk analysis should be the cornerstone of every IT process. Decide your risk profile at the outset and make sure you design your systems accordingly, and back up your data securely,” added McDowell.

There’s an old adage that ‘fashion is fleeting, but style is eternal’. For IT teams, innovation and new technology may get pulses racing, but ignoring security could result in a serious heart attack.